The new HIPPA final rule significantly impacts on business associates function and new liabilities they face. Below we have provided a brief summary of key issues business associates should be aware of.
BUSINESS ASSOCIATE DEFINITION
When first implemented, HIPAA defined a business associate as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of – or provides services to – a covered entity; a member of the covered entity’s workforce would not be a business associate. Under the final rules, “business associate” has been amended to mean any person or entity that creates, receives, maintains or transmits protected health information to perform certain functions or activities on behalf of a covered entity.
This new definition expands the application of HIPAA to include subcontractors of business associates (as long as they create, receive, maintain or transmit PHI in performance of duties delegated by the business associate). The 2013 final rule provides that a covered entity is not required to enter into a business associate agreement directly with a subcontractor of a business associate. However, a business associate is required to have an agreement with a subcontractor.
Further broadening the definition of business associate, a new category of services (“patient safety activities”) is now included in the list of activities a person or entity may perform for a covered entity. This new category will give rise to new business associate relationships. Thus, under the final rule, the following three categories of service providers are identified as business associates:
- Health information organizations
- Vendors of personal health records
- Others that facilitate data transmission
The final rule clarifies that entities that store PHI, either electronically or in hard copy, are business associates, even if they do not access, use or disclose that information. Storage providers may include vendors that host ePHI which is accessed and used as part of routine business practices (e.g., email, website or server hosting vendors; vendors that store ePHI for backup, disaster recovery, or archival purposes) as well as hard copy document storage vendors.
An exception exists for entities that merely provide courier or transmission services (in digital or hard copy), such as courier services, the United States Post Office and internet service providers.
BUSINESS ASSOCIATE LIABILITY
HHS clarified in the preamble to the final regulations that business associates are directly liable under the HIPAA privacy and security rules. Therefore, a business associate agreement must exist between a business associate and its subcontractor.
Business associates are directly liable for:
- Impermissible uses and disclosures of protected health information
- Failing to provide breach notifications to the covered entity
- Failing to disclose protected health information to the HHS when required
- Failing to disclose protected health information to the covered entity or an individual whose protected health information is at issue, if that individual has requested such information
- Failing to comply with the minimum necessary standards
- Failing to enter into business associate agreements with subcontractors that create or receive a covered entity’s PHI
Business associates may also be contractually liable for any additional HIPAA privacy obligations to which they contractually agree. For instance, a business associate is not necessarily required to distribute a Notice of Privacy Practices; however, having agreed to distribute the notice, the business associate will face contractual damages if it does not honor the agreement.
Compliance for business associates under the final rule is required by September 23, 2013. A special provision, however, applies to certain business associate agreements that existed at the time the final HIPAA rule was published. Therefore, a covered entity or business associate complies with the changes under the final rule if:
- Prior to January 25, 2013, a covered entity or its business associate entered into and operated under (and complied with) the contractual provisions in effect on the date of the agreement
- The agreement was not renewed or modified from March 26, 2013 until September 23, 2013
If the above requirements are met, an agreement will comply with the final rule until the earlier of:
- The date such contract or other arrangement is renewed or modified on or after September 23, 2013 or
- September 22, 2014
REQUIRED ACTION: ENSURE THAT BUSINESS ASSOCIATE AGREEMENTS ARE IN PLACE BETWEEN THE PLAN AND BUSINESS ASSOCIATES; ENSURE THAT BUSINESS ASSOCIATES HAVE AGREEMENTS IN PLACE WITH THEIR SUBCONTRACTORS.
Powered by Willis